Salesforce New Jersey User Group - Security Awareness
1.
2. - Salesforce Pardot Marketing Automation & Data.com
- March 24, 2-5pm @ The Heldrich Hotel in New Brunswick
- 4th Annual PhillyForce Conference
- May 4, 8:30–5pm @ Quorum Science Center
- Salesforce World Tour NYC
- May 25 @ Javits Center
- New Jersey User Group Meeting
- Date TBD, Salesforce MVP to discuss Summer 16’ Release Notes
4. Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such
uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially
from the results expressed or implied by the forward-looking statements we make. All statements other than statements of
historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth,
earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future
operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and
customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new
functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations
in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the
outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in
which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and man age
our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com
products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the
financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our
quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures
are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not cu rrently
available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions
based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these
forward-looking statements.
5. Agenda
① Setting the Stage: The Human Factor (15 mins)
② Attack Card exercise and discussion (30 mins)
③ Secure Behavior (15 mins)
④ Secure Your Salesforce Org (15 mins)
⑤ Next Steps (15 mins)
9. Bugs in Human Hardware
“Everybody else does it,
why shouldn´t I?”
“People are inherently
good and I want to be
helpful”
“Hmmmm…. I wonder
what will happen if I…”
“I´d be wrong not to!”
“If I don´t do this, I´ll get
in trouble!”
“I´ll get something if I do
this!”
12. Attack Card Instructions
Step 1
Have one person
in your group
read an attack
card aloud.
• What “Bugs in Human
hardware” and “Entry point
methods” were used in this
attack?
• What's the earliest point that
the victim should have known
this was an attack?
• What could the individual have
done to prevent it?
• Do you think you would have
identified the attack in time? If
not, how would you have
defended yourself?
Step 2
For each attack
card discuss the
following:
13. Attack Card Exercise #1: Linked-Into the Network
10 minutes
• What Bugs in Human Hardware
and Entry Point Methods were
used in this attack?
• What's the earliest point that
the victim should have known
this was an attack?
• What could the individual have
done to prevent it?
• Do you think you would have
identified the attack in time? If
not, how would you have
defended yourself?
Entry Point Methods:
Bugs in Human Hardware:
Conformity, Fear, Reward,
Morality, Curiosity, Trust
Phishing/Malware, Rouge
Devices, Dumpster Diving,
Eaves-dropping, Badge Surfing,
Exploiting Public Info, Social
engineering
14. Attack Card Exercise #2: Download on the Road
10 minutes
• What Bugs in Human Hardware
and Entry Point Methods were
used in this attack?
• What's the earliest point that
the victim should have known
this was an attack?
• What could the individual have
done to prevent it?
• Do you think you would have
identified the attack in time? If
not, how would you have
defended yourself?
Entry Point Methods:
Bugs in Human Hardware:
Conformity, Fear, Reward,
Morality, Curiosity, Trust
Phishing/Malware, Rouge
Devices, Dumpster Diving,
Eaves-dropping, Badge Surfing,
Exploiting Public Info, Social
engineering
15. Group Discussion
10 minutes
• What Bugs in Human Hardware
and Entry Point Methods were
used in this attack?
• What's the earliest point that
the victim should have known
this was an attack?
• What could the individual have
done to prevent it?
• Do you think you would have
identified the attack in time? If
not, how would you have
defended yourself?
Entry Point Methods:
Bugs in Human Hardware:
Conformity, Fear, Reward,
Morality, Curiosity, Trust
Phishing/Malware, Rouge
Devices, Dumpster Diving,
Eaves-dropping, Badge Surfing,
Exploiting Public Info, Social
engineering
17. Password Security
• Activate password complexity and rotation rules
Password expiration/reset every 90 days
Password length at least 8-10 characters
Password complexity – mix alpha and numeric characters
• User education
No password/credential sharing
Discourage password reuse across services
Utilization of a strong password manager (example: LastPass)
• Utilize two-factor authentication (2FA) and single sign-on (SSO)
18. Phishing Education
• Pervasive and effective attack vector for
installing malware
• Education is key to prevention
• https://trust.salesforce.com - recent
threats
• If unsure about a Salesforce email, ask us
via security@salesforce.com
• Don’t open attachments that are
unexpected or from unknown senders
19. Could your employees fall victim to phishing?
• Internet Creations sent a phishing test to employees
• https://getgophish.com
20. Security Awareness for Users
Small changes in behavior can have a major impact
14,000 50% 82%
Less Likely to Click on a Phishing
Link
More Likely to Report Threats to
security@salesforce.com
Salesforce Employees
21. Key Principles – The Human Factor
• Limit the number of users with admin rights
• Provide users with minimum access to do their job
• Create rigorous process for user
termination/deactivation
• Basic security training for all users on
credential/password security, phishing, and social
engineering
• Trailhead for ongoing, role-focused education
• Effective security requires cross-org communication
https://developer.salesforce.com/trailhead
23. Trust: Security at Every Level
Applicable to the Sales Cloud, Service Cloud, Communities, Chatter, database.com, site.com and Force.com. For audits, certification and security information or other services,
please see the Trust & Compliance section of help.salesforce.com.
Infrastructure-level SecurityApplication-level Security
Firewall SSL
Accelerators
Web/App
Servers
Load
Balancers
Database
Servers
Trusted
Networks
Authentication
Options
Field Level
Security
Object Level
Security
(CRUD)
Audit Trail
Object History
Tracking
26. Two-Factor Authentication (2FA)
• Provides an extra layer of security
beyond a password
• If a user’s credentials are compromised,
much harder to exploit
• Require a numeric token on login
• Can be received via app, SMS, email,
hardware (YubiKey)
• Walkthrough in your own Org:
http://sforce.co/1VWwmpB
27. 2FA Setup
Create a permission set titled “Two Factor Authentication”
Name | Setup | Manage Users | Permission Sets | New
Step 1
28. 2FA Setup
Select the “Two-Factor Authentication for User Interface Logins” permission and save this
permission set.
Now assign this permission set to the required user by clicking:
Manage Assignment | Add Assignments | Select users | Assign
Step 2
29. 2FA Setup
Upon the next login, users will come across the following prompt:
Step 3
30. Login IP Ranges
• Limit IP addresses that users can log into
Salesforce from (by profile)
• Can restrict by login or on every request
• Lock sessions to IP address they started on
• These features ensure that if a malicious
actor steals credentials they cannot use them
away from your corporate networks
• Working from home/road – VPN login
31. Login IP Ranges
• Recommended and available for all customers
• Only access Salesforce from a designated set of IP Ranges
• Two levels:
• Org-level Trusted IP Ranges (permissive)
• Profile-level Login IP Ranges (restrictive)
Enterprise, Unlimited, Performance, Developer:
Manage Users | Profiles
Contact Mgr, Group, Professional:
Security Controls | Session Settings
For moreinfo,searchHelp& Training
32. User Deactivation
• Deactivateusers as soon as possible
• Removes login access while
preserving historical activity and
records
• Sometimes users cannot be
deactivated: assign new user or
reassign approval responsibilityfirst
• Know your IT department’s
termination process
Best practice:
Freeze users first!
From Setup, click Manage Users | Users.
Click Edit next to a user’s name.
Deselect the Active checkbox and then click Save.
34. Key Takeaways
Check your Security Settings!
Activate and use turnkey security features:
• Enable two-factor authentication
• Implement identity confirmation
• Activate Login IP Ranges
• Deactivate users in a timely manner (freeze them first!)
Consider the human factor when training Salesforce users:
• Password security
• Emails / phishing
35. Resources
• Security for Admins Quick Reference Guide (available today!)
• Security & Compliance Release Webinars – What’s New in Security & Compliance, Spring
‘16 (Feb. 25, 8am PST)
• Trailhead: Data Security module (more coming soon!)
• Who Sees What video series (YouTube)
• Dreamforce session recordings (www.dreamforce.com)
• Secure Salesforce series
• Create a Salesforce Force Field for Your Users
• Security Implementation Guide
• ButtonClickAdmin.com